This post gives practical, actionable steps to configure endpoint controls that enforce NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 Control MP.L2-3.8.7 β specifically blocking unauthorized USB mass storage, implementing hardware/VID-PID whitelisting, and requiring encryption for permitted removable media β with real-world examples and tips targeted to small businesses operating under the Compliance Framework.
Why this control matters and the compliance objective
MP.L2-3.8.7 is focused on preventing data exfiltration and malware introduction via removable media. For organizations that handle Controlled Unclassified Information (CUI), the objective is simple: deny unmanaged, unencrypted USB storage, allow only vetted devices, and ensure any allowed media is encrypted and auditable. That reduces insider risk, accidental leaks, and contractor non-compliance while meeting the Compliance Framework requirements for CMMC/NIST.
Implementation overview (high level)
Successful enforcement uses three layered capabilities: device blocking at the OS/driver level, allowlisting specific hardware or certificates for approved media, and mandatory encryption for any permitted removable drives. Implement these via your endpoint management (MDM/Intune/Jamf), EDR/Device Control features, Group Policy (Windows), or USBGuard (Linux). Instrument logging and a documented exception workflow so auditors can see policy enforcement, justifications, and remediation.
Windows - concrete steps and settings
For Windows endpoints (typical for small businesses), use Microsoft Intune or AD Group Policy + Defender/EDR device control. Key settings: - Block mass storage but not HID devices: Computer Configuration β Administrative Templates β System β Removable Storage Access β "All Removable Storage classes: Deny all access". - Enforce BitLocker To Go for removable drives: Intune Profile β Endpoint Protection β Windows Encryption β "Require device encryption" and "Deny write access to removable drives not protected by BitLocker". - Whitelist by hardware ID: collect allowed devicesβ VID/PID via PowerShell: Get-PnpDevice -PresentOnly | Where-Object {$_.InstanceId -like 'USB\\VID*'} | Select InstanceId. Then deploy an Endpoint Security device-control policy (Microsoft Defender for Endpoint or third-party) that allows specific Hardware IDs and blocks everything else. - Registry quick-block (if needed): set HKLM\SYSTEM\CurrentControlSet\Services\UsbStor Start = 4 to disable the usbstor driver (blocks USB mass storage; restart required). Use with caution β HID (keyboard/mouse) must remain available. Also configure BitLocker cipher: Computer Configuration β Administrative Templates β Windows Components β BitLocker Drive Encryption β Removable Data Drives β "Choose drive encryption method and cipher strength" and select XTS-AES 256 for strongest compliance posture. Use manage-bde or Enable-BitLocker in scripting to enforce on provisioning and recovery key escrow to AD/Azure AD.
macOS, Linux and cross-platform concerns
On macOS, use Jamf/MDM to restrict mounting of external volumes and require FileVault for internal drives; for removable drives require APFS encryption or issue company-managed hardware-encrypted USBs. There are fewer native macOS controls to whitelist VID/PID, so rely on third-party device-control products (e.g., Endpoint Protector, Digital Guardian) or custom kernel/root-level extensions where necessary. For Linux endpoints, USBGuard provides a robust allow/deny model using device-attributes including vendor/product IDs and serial numbers; deploy rules and manage them via configuration management (Ansible) and log events into your SIEM.
Whitelisting and encryption β real examples for a small business
Example scenario: a 50-user subcontractor that processes CUI chooses Intune + Defender for Endpoint. Implementation steps: 1) Inventory current USB devices and produce a CSV of VID/PID and serials using PowerShell on Windows and lsusb/udevadm on Linux. 2) Create an Intune Device Control policy that blocks all removable storage by default, and create an allowlist group for company-issued drives (hardware-encrypted drives with known serials and FIPS validation). The policy allows only the listed device IDs. 3) Require BitLocker To Go with XTS-AES 256 and configure "Deny write access to removable drives not protected by BitLocker" so even if a device is plugged in it cannot be written to unless encrypted and allowed. 4) Escrow BitLocker recovery keys to Azure AD/AD and log all attach/detach events to Defender logs shipped to your SIEM for 12+ months (as required by your contract).
Logging, exceptions, and operational best practices
Logging and an exception process are critical for auditors. Log device attach events (Windows Event ID 6416 / Microsoft-Windows-DeviceSetupManager or Defender device events), DLP blocks, and BitLocker status changes. Create a short exception workflow: documented business justification, temporary allowlist token tied to an identity, and automatic expiration (e.g., 7 days). Best practices: maintain a CMDB of approved device serials, rotate and escrow recovery keys, enforce least privilege on endpoint admin rights, and run quarterly scans to detect shadow/rogue devices.
Risks of not implementing MP.L2-3.8.7
Failing to implement these controls exposes organizations to data exfiltration (malicious or accidental), introduction of ransomware/malware via infected USB drives, and non-compliance penalties or contract loss when handling CUI. For small businesses working with DoD prime contractors, a single lost CUI incident can destroy reputation and lead to contract termination. Operationally, unmanaged USB use also impedes incident investigations because evidence (who plugged what, when) is not recorded.
Compliance tips and final recommendations
Practical tips: start with a risk-based inventory, pilot USB restrictions with a small user group, and prefer allowlist-first policies to blanket-blocking (with emergency break-glass). Use company-issued hardware-encrypted drives when users need removable storage and enforce certificate or TPM-bound keys. Combine device control with DLP rules (block copy of CUI to removable storage) and EDR alerting. Periodically test the policy by attempting controlled exfiltration (red-team) and review logs monthly to validate enforcement.
Summary: Implementing MP.L2-3.8.7 requires a combination of blocking unmanaged USB storage, allowlisting trusted devices by hardware ID or certificate, and enforcing strong encryption (BitLocker/FileVault/APFS or hardware FIPS drives) with key escrow and logging. For small businesses, using MDM/EDR device-control features, a documented exception process, and consistent auditing will deliver the compliance posture required by NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 while minimizing operational disruption.
